Ice phishing is a form of blockchain-based attack which Microsoft raised concerns about earlier in 2022. It involves tricking a user into signing some malicious transaction so that the criminal can gain control over the involved crypto assets.
There have been many discussions in the digital space about whether or not sending money with anonymity comes with lots of risks. It surely does come with lots of risks. In recent times, a rising phishing scam called “ice phishing attack” has been dominating the internet.
The crypto industry has been exploding in recent years, with a growing number of people registering themselves anonymously on the Blockchain aiming to raise crypto funds and increase their profits. While all this seems quite magical, that is not the case in reality.
Microsoft recently issued a stern warning for users about a potential variant of phishing attack that mainly targets the Web3 and Blockchain environment, particularly. The ice phishing scam strategy is relatively new but evolving.
Ice phishing scams are types of cyber-attacks that maneuver and trick Web3 users into manually signing and approving various permissions that enable the criminals to spend the victim’s tokens. These permissions normally need to be signed on decentralized finance (DeFi) protocols that may easily be mock-ups.
Blockchain security company Certik has reminded the cryptocurrency space to ensure that it remains on high alert over the ice phishing scams first identified by Microsoft earlier this year. In its December 20 analysis report, Certik described ice phishing scams as a type of attack that tricks Web3 users into signing permissions that lets scammers spend their tokens.
2/ The scam begins when a victim is tricked into approving the ice phishing address.
The scammers address will be presented to you when you are interacting with a malicious URL or Dapp
Below is an example of this type of transaction 👇 pic.twitter.com/rwXt2t2DD6
— CertiK Alert (@CertiKAlert) December 20, 2022
It is different from the traditional phishing attacks that attempt to access confidential information like private keys and passwords, including the phony websites set up which claimed to help the FTX investors recover funds lost during the collapse of the exchange.
A December 17 scam where 14 Bored Apes were stolen is a notable example of an exhaustive ice phishing scam. An investor was compelling convinced to sign a transaction request masked as a film contract, which ultimately enabled the scammer to sell all of the user’s apes to themselves for an insignificant amount.
5/ Victims may notice funds being transferred to a unknown address, but its the EOA that initiated the transaction that has compromised your wallet
Check your approvals for any addresses that may have compromised your wallet
— CertiK Alert (@CertiKAlert) December 20, 2022
The firm noted that this type of scam was a major threat that was dominating Web3, as investors are mainly needed to sign permissions to DeFi protocols that they interact with, which might be faked easily:
“The hacker just needs to make a user believe that the malicious address that they are approving is legitimate. Once a user has approved permissions for the scammer to spend tokens, then the assets are at risk of being drained.”
After the scammer gets approval, they access the storage and transfer assets to addresses of their choice.
Data Decentralization And the Blockchain
Data decentralization describes a data model wherein the authority over different data entities is dispersed over a distributed network, instead of being centralized in the hands of a particular agency or entity. It is believed to support the fact: “every man to himself”, by minimizing the interdependency among the data handling parties.
Blockchain can be described as a decentralized database that mainly works as a storage unit for crypto transactions. Being a secure environment that is digitally distributed and deconcentrated, it maintains the anonymity of the participants during transactions and preserves a record of the same. All information available on the blockchain is ideally stored electronically and in a secure place inaccessible by third parties.
The blockchain is designed to store distributed ledgers that cannot be changed once added. Every ‘block’ works as a separate storage unit that has a set of transactional information within a limited space.
After a block gets filled up, a new block is automatically created to add the next set of records, which is then connected to the previous block. This strategy eventually develops a chain of databases that gives the blockchain its signature name and identity.
Web 3.0 And Its Possible Risks
Designed on the foundation of blockchain technology, Web 3.0, or Web3 as it is mostly known, is a decentralized web environment that enables users to interact with and scale their investments while providing increased privacy to their data. In Web3, data is fully decentralized and encrypted with the assistance of a private key that only the user has access to.
Unlike Web2, where data is stored on centralized servers that are fully supervised by a group of large tech firms, Web3 offers more in terms of security and scalability and is rapidly becoming the next big thing in the crypto space.
Nevertheless, it is crucial to note that Web3 is still in its budding stage, and needs lots of development. Just like Web 1.0 and Web 2.0, it is not immune to data breaches or security challenges. The lack of centralization also indicates the absence of data regulation in Web3 that paves the way for many malicious activities.
How Ice Phishing Attacks Operate
Attackers will mostly pretend to be customer service agents for a crypto project/service, and reach out to users seeking assistance in project or community Discord servers or Twitter threads. They then scheme to hook the user into signing a transaction that delegates approval for the unsuspecting victim’s crypto assets to be sent to the attacker who then gains full control.
This strategy is most effective for decentralized finance (DeFi) services like decentralized exchanges (DEXs) since they Can be quite complex for novice crypto users to navigate and always need a Metamask connection to be made.
If one walks through a transaction aiming to swap some DAI for ILV (the currency needed for the new metaverse world Illuvium) on SushiSwap – a popular decentralized exchange, then they discover that for SushiSwap to execute a trade, they will need to offer access To the DAI in their wallet.
On expanding the transaction information, you discover that by confirming the transaction, you grant access to the contract to trade a maximum amount of DAI on your behalf. Nonetheless, the information offered is still quite limited on the nature of access the confirmation offers to the other account and the series of actions that may follow when the contract has the authority.
What an ice phishing attack does is provide an illegal link alleging to be a decentralized exchange, like SushiSwap or a help page for a crypto service, and then when the victim goes to sign the transaction, the attacker has already inserted their address within the `Granted to:` part of the transaction. This incident offers them access to the crypto assets in the victim’s wallet and enables them to be transferred out.
Since MetaMask displays the contract hash instead of an identifiable name, it might not be quickly obvious to spot this kind of a switch unless you decide to screen the contract address via a block explorer or blockchain analytics tool to ensure that it is for the entity that you expect instead of the attacker.
But, not just interaction with decentralized exchanges poses ice phishing threats, entering the metaverse poses these risks as well. The risks are possible since access to the full range of functions and interactions requires you to sign into the digital world with your blockchain account.
In the case of Decentraland, it needs a simple sign-in through Metamask, and for the Gotchiverse this process needs signing a welcome message to validate your identity. Nonetheless, any malicious actor might aim to dupe the victim into signing a transaction which then delegates access to the crypto assets in the account by offering a false link to the metaverse, and then directing them to sign in using it and then having a delegate action instead of an interact or message signing action.
Attack Use Case
Maybe the most famous ice phishing attack so far is that of BadgerDAO where the criminals managed to steal more than $100 million from unsuspecting users.
They achieved it by compromising the BadgerDAO web app and injecting some malicious code that duped many users into signing a transaction that delegated control of the ERC20 tokens in their wallets. As such when users tried to interact with BadgerDAO under the impression that they were depositing tokens to earn some yield, instead the transaction they were signing was letting attackers have full access to their funds.
For more than 10 hours on December 2, 2021, the hackers drained funds from victims’ accounts and were seen to deliberately target those with huge balances, managing to modify their script for a whole day trying to avoid detection. BadgerDAO ultimately spotted the burglary and suspended the smart contract but not before the exploiters had managed to steal $121 million from 200 accounts.
How To Protect Yourself
You can take various strategies and measures to protect yourself from ice phishing attacks. They include:
- When you are sending funds or approving access to crypto assets in your account you need to check the contract hash in Etherscan, or by utilizing a blockchain analytics tool to guarantee it is the entity that you expect.
- When signing a transaction in MetaMask or any other crypto wallet it is crucial to read the details of the transaction and guarantee it will initiate the operations that you expect.
- Always access decentralized applications and services through the verified URL to avoid any phishing links and domain squatters. Whenever in doubt, you can readily find the project URL in their verified Twitter account.
- Segregate all your crypto assets and keep the long-term holdings like more valuable nonfungible tokens in cold storage and funds for transactions and the more active dApps in a different hot wallet.
- Always guarantee that you are speaking with official representatives of a firm and keep wary of anybody who reaches out on Discord and other social media platforms posing as a customer service assistant. If you are in doubt, contact the project using an officially recognized email and social media accounts to check.